With remote access being critical in stopping the spread of the coronavirus, I decided to write a tutorial that makes it as simple as possible to set up VPNs for your small business. While I think most people who own one of these firewalls know how to set this up, I want to make sure anyone who is having trouble has a resource they can turn to in a pinch.
This tutorial assumes that you have a Check Point SMB device already deployed, setup, and running Gaia Embedded R80.20 (These instructions will probably work on Gaia Embedded R77 as well).
1. The Network
We have a very simple network here, but after following this guide, you should be able to adopt it to a multitude of network topologies. The internal LAN uses the 10.0.2.0/24 subnet and the VPN subnet that we are going to build in this guide will use 172.16.11.0.24.
2. Understanding Your Firewall Setup
If you deployed your Check Point SMB device properly (I should say traditionally, because different businesses may have different requirements), it should be getting a public IP address. This can be found on the System Overview page on the top right.
Now, you have to understand how you receive your public IP. If you have a Reserved IP, then you can just connect to your VPN using the the reserved IP address or use a domain record associated with that IP. However, if you get your IP Dynamically, then you have to keep a few things in mind:
How often does my IP change?
Do I have Dynamic DNS Setup?
If your IP address doesn’t change often, then you would probably be safe using your VPN with your public IP. However, if your public IP does change often, then you are going to need to set up Dynamic DNS.
Now, with Gaia Embedded, there are a few built in options. If you go to Device>DDNS & Device Access, you’ll see the built in options for Dynamic DNS that Gaia Embedded is compatible with out of the box.
Checkpoint offers no-ip or DynDns as built-in providers. You’ll have to set up an account with them to get this working, but I believe they have some free tiers available. Just make an account and enter your credentials and hostname.
Or, you can be super cool and install Linux on your device and then use ddclient and use a multitude of other providers such as Google Domains or AWS Route 53. See this guide written by Devin Marks for more details. (This may be complicated for beginners and is not a supported feature by Check Point, but you will instantly be cooler than your friends who aren’t running Kali Linux on their firewalls :P.)
Any of the options will work, just make sure you are familiar with your Internet setup before continuing. You can reach out to us at contact@spikefishsolutions.com or send us a DM on Twitter/Instagram @teamspikefish if you have any questions on what to do.
Next, we are going to want to set up some user accounts for employees in your company. Go to Users & Objects>Users Management>Users
Next, hit the little arrow next to New and hit New User Group
(Please ignore my existing VPN users, I was too lazy to remove them during this write-up.)
Make a group name and check Remote Access permissions.
Then hit New and start creating accounts for your employees. You’ll probably want them to set their own passwords for security reasons as you should not know their passwords. Make sure to check Remote Access Permissions too. Then hit Apply.
Once you have all your users selected, hit Apply again on the New Local Group window.
You should now have the new users and the new groups in your Users page:
4. Setting Up the VPN
After setting up your user group and accounts, it’s time to build the VPN. Go to VPN>Remote Access>Blade Control
Next, you are going to want to turn the VPN Remote Access Control blade on and select which medium you want employees to be able to connect to the network with. Personally, I like the Check Point VPN Client and the Mobile Client because of how easy it is to use. We are going to focus on those two in this tutorial.
So officially, our VPN is now on, however, we are going to review some settings in the Advanced Section.
We can see that I have set anyone who joins the network to receive an IP address in the 172.16.11.0 subnet. Using a mask of 255.255.255.0 or /24, I will theoretically be able to have up to 254 devices connect to my VPN (I don’t expect this to happen at all.)
Now you can see I have Route Internet traffic from connected clients through this gateway selected. This will send all traffic through this Check Point SMB appliance, regardless if a person is accessing a company asset or not. This essentially treats all VPN connections as if they were running through the Internet connection you have at work.
You don’t have to select this, but it's a worthwhile option that will ensure all traffic is being encrypted no matter what network your employees are on, such as a public Wi-Fi. It will also allow all your other firewall blades, such as App and URL Filters, IPS, and Threat Emulation to capture and scan all traffic.
Keep in mind that if your business’s internet connection is not strong enough, this might slow down everyone's experience so make sure you can handle the increased capacity.
You can also see that my Local encryption domain is defined manually. Yours is probably set to automatic, which can be left as is. (Mine is set to manual as there are more advanced network configurations behind this firewall that are not part of this tutorial.)
SSL VPN bookmarks allow you to predefine network asset locations for your VPN users, but we are going to ignore that in this tutorial.
5. Checking the Firewall Rules
Now that the VPN has been enabled, we can check the new rules created in the firewall policy. Go to Access Policy > Firewall > Policy.
In the Auto Generated Rules section of Incoming, Internal and VPN Traffic section, you can see a new rule has been made:
This allows anyone using the VPN to reach any asset on the internal network. If you look back to our topology map, you can see that all devices reside on the 10.0.2.0/24 network. This means that anyone who has VPN Remote Access, can reach any device on the 10.0.2.0/24 network.
Now, if you are routing all traffic through your network, you are going to need to make an outbound firewall rule in the Outgoing access to the Internet section of the firewall policy. Without this, VPN users won't be able to access to the Internet, only your local subnets. I made a rule that allows anyone on the remote access subnet of 172.16.11.0 to reach the Internet.
6. CAN WE CONNECT ALREADY?!?!
Yes we can! First, you need to download and install the VPN client on your device. You can download the clients for Windows/Mac here. There are also clients available for Android and iPhone. In this guide, I will show you how to use the client once installed on Windows, but the instructions should be roughly the same on other operating systems.
Once you have the client installed, find the yellow icon and hit VPN Options.
Next, hit New.
Follow the Wizard and hit Next and fill in your public IP address or Dynamic DNS Address. In my example, I am using a dynamic DNS domain address
Select VPN as your preferred login and hit Next
Select Username and Password as your Authentication Method.
You should get a successful message and a question to Connect. Hit Yes.
Enter your credentials and hit Connect.
If all is working, you should see your VPN is now connected if you hover over the yellow lock.
If you do an ipconfig, you can see that I now have an IP address of 172.16.11.2, which is part of my remote access subnet.
Congrats! You have now successfully set up your VPN.
I can also see who is connected at any given time by going to VPN>Remote Access>Connected Remote Users
Greg_Smith has connected and I can see his VPN IP address as well
Now anyone on the VPN network can use Remote Desktop, SSH, SMB Share on the 10.0.2.0 network without issue. You can see below me using Remote Desktop over the VPN and it being decrypted in the Check Point logs, along with all the other Internet traffic.
If you need any help setting up Remote Access with Check Point or any other vendor, please reach out to us at contact@spikefishsolutions.com or DM us @teamspikefish on Twitter/Instagram. We are here to help during this time of crisis and it benefits all of us to keep businesses of all sizes up and running. Check out our other blog about setting up ZeroTier for remote access as well and our FREE remote access solutions page.
Hey Edmund, We have a few blogs written about Cisco ISE and Check Point, which I encourage you to check out. I think its definitely possible authenticate VPN users using Radius and ISE. Although we haven't tested using Radius and ISE for VPNs specifically, we do have a guide on setting up 2-Factor authentication using Radius and Google Authenticator. If you want to discuss your specific scenario in more detail, send us an email to contact@spikefishsolutions.com. It may result in a new blog post being written :P.
Hi, this document is excellent. I am trying to setup my firewall remote access vpn users to authenticate VIA ISE using Radius. Do you have any document or info on how to accomplish this. Trying to understand what needs to be configured on the ISE side to allow VPN authorization and authentication for local or AD database with Check Point being the VPN termination point.
Thanks Much